Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

SPN Purpose

A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

↑ Return to Top

SPN Format

serviceclass/host:port servicename

serviceclass and host are required, but port and service name are optional. The colon between host and port is only required when a port is present.

See the following table for a description of each element in the command above:



serviceclass A string that identifies the general class of service; for example, "SqlServer". There are well-known service class names, such as "www" for a Web service or "ldap" for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name.
host The name of the computer on which the service is running. This can be a fully-qualified DNS name or a NetBIOS name. Be aware that NetBIOS names are not guaranteed to be unique in a forest, so an SPN that contains a NetBIOS name may not be unique.
port An optional TCP or UDP port number to differentiate between multiple instances of the same service class on a single host computer. Omit this component if the service uses the default port for its service class.
accountname An optional name used in the SPNs of a replicable service to identify the data or services provided by the service or the domain served by the service. This component can have one of the following formats:  
  • The distinguished name or objectGUID of an object in Active Directory Domain Services, such as a service connection point (SCP).
  • The DNS name of the domain for a service that provides a specified service for a domain as a whole.
  • The DNS name of an SRV or MX record.

Examples of SPN registrations:

  • HTTP/ – Any page on the Web site on the default TCP port 80 for, that is
  • HTTP/ – Any page on the Web site on the non-standard TCP port 8080 for, that is
  • HOST/WORKSTATION5 - Any service running on the computer with NetBIOS name WORKSTATION5
  • HOST/ - Any service running on the computer with hostname
  • TERMSRV/ - The Remote Desktop Protocol (RDP) service running on the computer with hostname 
  • MSSQLSvc/ – The SQL Server listening on, port 1433.
  • cifs/ – The file share on the computer with hostname


  • You only need to specify a port when a non-default port is used for the service. See Port Numbers for a list of assigned port numbers.
  • The NetLogon service registers the default SPNs for the base operating system and refreshes those every 22 minutes after operating system startup.

↑ Return to Top


SetSPN is the application used to manage SPNs for Windows computers. With SetSPN, you can, view, edit, and delete SPN registrations. The command syntax follows:

 Setspn serviceclass/host:portnumber servicename

For example, to register the FIMService on the standard port (meaning you don't have to specify the port number) on a computer named FIMSVR in a domain named that is using a service account named FIMService, use the following command:

setspn -s FIMService/ CONTOSO\FIMService

The switch -s adds the SPN after verifying that there are no duplicates. To see a list of the SetSPN switches, you can run the command setspn /?

To register the http service on the standard port on a computer named CES1 in the domain using a service account named CES, use the following command:

setspn -s http/ CORP\CES

↑ Return to Top

Viewing or Checking SPN Registrations

To check the SPNs that are registered for a specific computer using that computer, you can run the following commands from a command prompt:

  • setspn -L hostname - Substitute the actual hostname for the computer for hostname (to see the hostname, type hostname as a command prompt). For example, if you typed hostname at the command prompt and the computer reported the name ContosoDC1, you could then type setspn -L contosoDC1 to see what SPNs are registered for that hostname.
  • setspn -L localhost - This command will check registrations for the account localhost, which is a name indicative of the local computer.  

↑ Return to Top

SPN Registration

The SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from other services running on that computer.

↑ Return to Top

Errors Related to SPN Registration or Configuration

The following error event in the Directory Service log of a domain controller can appear when SPN issues are present:

Event Type Error
Event Source NTDS Replication
Event Category Replication
Event ID 1645
Description The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server.

Additional errors that may be seen related to SPN issues:

Leave a Comment
  • Please add 8 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Geert Baeten edited Revision 49. Comment: Added little bit of info about delegation settings but needs more work...

  • Kurt L Hudson edited Revision 44. Comment: Added an example for deleting an SPN

  • Richard Mueller edited Revision 43. Comment: Added "Return to Top"

  • Richard Mueller edited Revision 42. Comment: Make headers bold

  • Richard Mueller edited Revision 41. Comment: Format header lines, fix HTML

  • Fernando Lugão Veltem edited Revision 40. Comment: added toc

  • Mike Kline edited Revision 39. Comment: Added AskPFE blog entry and setspn -x info

  • FZB edited Revision 38. Comment: typo

  • FZB edited Revision 37. Comment: formating

  • FZB edited Revision 36. Comment: formating

Page 1 of 2 (19 items) 12
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Kurt Hudson MSFT edited Revision 26. Comment: Removed in the domain, since that was not relevant for the example.

  • Kurt Hudson MSFT edited Revision 27. Comment: Add the command from the figure, so people can see it if the imagine does not appear for them.

  • Kurt Hudson MSFT edited Revision 28. Comment: Added two additional references and went through links to make them open in new windows

  • Kurt L Hudson edited Revision 29. Comment: Updated with some information from Arren Conner and CSS

  • Kurt L Hudson edited Revision 31. Comment: Added another example and put more detail in the FIM example

  • Kurt L Hudson edited Revision 32. Comment: updated with new guidance about SetSPN -s and reference about duplicate SPNs

  • Kurt L Hudson edited Revision 33. Comment: updated to mention KB 970536

  • Kurt L Hudson edited Revision 34. Comment: fixing formatting and links

  • FZB edited Revision 35. Comment: typo

  • FZB edited Revision 36. Comment: formating

  • FZB edited Revision 37. Comment: formating

  • FZB edited Revision 38. Comment: typo